Insert or Embed Articulate Content into WordPress <= 4.3000000025 – Iframe Injection | CVE 2024-0756 | Plugin Vulnerabilities

Description

The plugin lacks validation of URLs when adding iframes, allowing attackers to inject an iFrame in the page and thus load arbitrary content from any page.

Proof of Concept

1) Create a new post
2) Add and e-Learning block and upload a zip file
3) Select the "Insert As: Iframe" option
4) Intercept the request to create a new post and in the body:

```
POST /index.php?rest_route=%2Fwp%2Fv2%2Fposts%2F236&_locale=user HTTP/2

{"id":236,"content":"<!-- wp:e-learning/block {\"src\":\"/wp-content/uploads/articulate_uploads/__ARCHIVE_NAME__/main.html\",\"href\":\"/wp-content/uploads/articulate_uploads/__ARCHIVE_NAME__/main.html\"} /-->","status":"publish"}
```

change the `src` to a URL of an external site.
5) Open the new post and see that it loads the content from the original source

Affects Plugins

insert-or-embed-articulate-content-into-wordpress

Fixed in 4.3000000025

References

CVE

URL

https://research.cleantalk.org/cve-2024-0756/

YouTube Video

Classification

Type

CONTENT INJECTION

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

9130a42d-fca3-4f9c-ab97-d5e0a7a5cef2

Timeline

Publicly Published

2024-05-14 (about 1 year ago)

Added

2024-05-14 (about 1 year ago)

Last Updated

2025-04-29 (about 8 months ago)

Other

Published

Title

Published

2024-04-22

Title

Pricing Table by Supsystic < 1.9.13 - Admin+ Content Injection

Published

2024-06-06

Title

YITH WooCommerce Product Add-Ons < 4.9.3 - Unauthenticated Content Injection

Published

2023-11-07

Title

Foyer <= 1.7.5 - Content Injection via Improper Access Control

Published

2024-02-20

Title

Tutor LMS < 2.6.1 - Student+ HTML Injection via Q&A

Published

2025-12-12

Title

TI WooCommerce Wishlist < 2.11.0 - Unauthenticated HTML Injection